Cyber security is taking an open-source step forward with the National Security Agency’s release of tools designed to reverse-engineer malware that holds people and companies hostage when their systems become infected.
Unveiled at the recent RSA security conference in San Francisco, the NSA’s Ghidra applicationOpens a new window  for disassembling machine-instruction code covers a spectrum of operating systems and chip architectures for data centers and devices alike. By making the tool an open source kit, the Defense Department’s top secret data intelligence agency is enlisting private developers to help it fight cyber crime.
The interactive tool kit separates malicious code from its machine-executable instructions. Analysts can then cross-reference code sections within API parameters by converting the code to data and allowing experts to interpret instructions in human languageOpens a new window . NSA says its Java-based suite works with popular x86 chip architectures and those from the Silicon Valley designer ARM, as well as with the Zilog Z80 standard and others.
Reverse engineering is a technique that developers use when they cannot document source code or when programs do not correspond to their original instructions. Similar to black box testingOpens a new window , it gives developers a window into development cycles.
Deconstructing malicious software provides clues about the extent of imminent threats and their capabilities, including information about instructions that activate malware activation. It also can aid cyber sleuths in hunting down the sources of malignant code and build defenses.
Ghidra is similar to a host of commercial offerings from providers who charge up to $4,000 for floating licenses on multiple networked machines. Unlike open-source Ghidra, those tools compel users to provide personal information when licensing the product.
Created more than a decade ago and developed by the NSA’s research directorate, the Ghidra application is tailored for most operating systems. Microsoft’s flagship Windows, the system that underpins nearly half of all PCs, is covered, as is Apple’s Mac operating system and the Linux open-source systems.
In addition, Ghidra is configured both for the systems that run Android mobile phones and Apple’s iPhones. In 2012, the NSA released mandatory access control patches for AndroidOpens a new window that runs on Linux to limit the damage from malware from applications installed on mobile devices.
Ghidra features a modelling language called Sleigh that can specify how instructions are dissasembled and developers can create Ghidra extensions using both the Python programming language and JavaScript. Complementing an iteration control tool that stores succeeding versions of forked Ghidra is a dedicated repository that permits sharing among users of code libraries.
Ghidra functionality permits undoing and redoing execution of malware and embedded functionalities, enabling repeated cycling and analytics, such as the impediments hackers place in malware in order to thwart detection and defusing efforts. Ghidra lets users extract code that is nestedOpens a new window within overlying programs and import functions for comparisons against previously captured malicious code.
NSA is releasing Ghidra in a series of modules, meaning that developers and cyber security teams can pick and choose among the functionalities best suited for their enterprises. Offering components, instead of ready-made packages, lets the NSA retain control over the breadth of the code, as well as allowing it to keep some tools and functionalities for proprietary use.
Unlike its commercial brethren, the Ghidra suite does not offer a de-bugger. But security experts expect that coders will create a de-bugger for the open-source community, enabling users to tailor it to their systems’ requirements.
The NSA is making Ghidra available for download on a dedicated page, as well as on the Microsoft-owned GitHub open source platformOpens a new window . In addition to enhancing security and tool kit development, the agency hopes that familiarity with the application will help in recruiting drives.